Connect with us

Hi, what are you looking for?


Data Breaches

American Express Notifies Customers of Data Breach

American Express says names, card account numbers, and card expiration dates were compromised in a data breach.

American Express is notifying customers that their information was compromised in a data breach at a third-party services provider.

In a notification letter to the impacted customers, a copy of which was submitted to the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), the company explains that the incident impacted account information of some card members.

“We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system. It is important to note that American Express owned or controlled systems were not compromised by this incident,” the notification letter reads.

According to American Express, the compromised information includes names, current and previously issued card account numbers, and other card details, such as expiration dates.

The financial services company says it is “vigilantly monitoring” customer accounts for fraud and notes that the impacted individuals are not liable for fraudulent charges on their accounts.

The notification letter also includes a series of recommendations on how individuals can protect their personal and card information, but does not share details on how the incident occurred. It is unclear how many individuals were impacted by the data breach.

Massachusetts OCABR’s latest data breach report shows that American Express disclosed several third-party data breaches over the past several weeks, involving retailers and merchant processors. Credit or debit card numbers were compromised in every incident.

“The potential impact of the American Express data breach is not yet known, as it is unclear whether customers’ data was simply accessed or if it has been exfiltrated through the third-party provider. If the sensitive data of customers, including card numbers and expiration dates, has been exfiltrated by attackers, it can be used to not only make fraudulent purchases, but also to extort customers into further payments,” BlackFog CEO and founder Darren Williams said in an emailed comment.

Advertisement. Scroll to continue reading.

Update: Responding to SecurityWeek, American Express provided the following statement:

“The incidents that you are inquiring about occurred at a merchant or merchant processor and was not an attack on American Express or an American Express service provider, as some media outlets have erroneously reported. Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts.

American Express Card Members are not liable for fraudulent charges on their accounts. We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity. If we see there is unusual activity that may be fraud, we will take protective actions.”

Related: Golden Corral Data Breach Impacts 180,000 Employees

Related: 230k Individuals Impacted by Data Breach at Australian Telco Tangerine

Related: Bank of America Customer Data Stolen in Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

OT zero trust access and control company Dispel has appointed Dean Macris as its CISO.

Cloud identity and security solutions firm Saviynt has hired former Gartner Analyst Henrique Teixeira as Senior Vice President of Strategy.

PR and marketing firm FleishmanHillard named Scott Radcliffe as the agency's global director of cybersecurity.

More People On The Move

Expert Insights

Related Content

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Data Breaches

Delta Dental of California says over 6.9 million individuals were impacted by a data breach caused by the MOVEit hack.

Data Breaches

AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.

Data Breaches

A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.